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Abstract 

A low storage algorithm for constructing isogenies between ordinary 
elliptic curves was proposed by Galbraith, Hess and Smart (GHS). We give 
an improvement of this algorithm by modifying the pseudorandom walk 
so that lower-degree isogenies are used more frequently. This is motivated 
by the fact that high degree isogenies are slower to compute than low 
degree ones. We analyse the running time of the parallel collision search 
algorithm when the partitioning is uneven. We also give experimental 
results. We conclude that our algorithm is around 14 times faster than the 
GHS algorithm when constructing horizontal isogenies between random 
isogenous elliptic curves over a 160-bit prime field. 

The results apply to generic adding walks and the more general group 
action inverse problem; a speed-up is obtained whenever the cost of com- 
puting edges in the graph varies significantly. 

1 Introduction 

Let El and E2 be elliptic curves over a finite field F,. If #Ei{¥q) = #i?2(Fg) 
then there is an isogeny <j) : Ei ^ E2 over [34L Theorem 1]. The isogeny 
problem is to compute such an isogeny. 

Problem 1 (Isogeny Problem). Let Ei/¥q and i?2/Fq be ordinary elliptic 
curves satisfying jj=Ei{¥q) = #i?2(Fq). Compute an Fg-isogeny (f) : Ei — > i?2- 

The isogeny problem for ordinary elliptic curves (we do not consider the 
supersingular case in this paper, though it is also interesting) over finite fields is a 
natural problem, which has at least two important applications in cryptography. 

First, it allows to understand whether the difficulty of the discrete logarithm 
problem (DLP) is equal for all elliptic curves with the same number of points 
over Fg. If Ei and £'2 are ordinary then Oi = Endp {Ei) and O2 — Endp {E2) 
are orders in a quadratic imaginary field K . Let Ok be the ring of integers of 
K and define the conductor c{Ei) = [Ok ■ Oi] for i = 1,2. If there is a large 
prime £ such that £ \ c{Ei) and £ \ c(i?2) (or vice versa) then it seems to require 
at least 0{£'^) steps to compute an isogeny between Ei and E2, as explained in 
Section 16.11 However, if this does not happen (in which case we say that the 
curves have comparable conductors) then it can be feasible to compute an isogeny 
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from El to E2 using the algorithms due to Galbraith [TT] or Galbraith, Hess 
and Smart [T^ (GHS); the heuristic complexity is 0{q^^'^~^°^^^) bit operations. 
As has been observed by Jao, Miller and Venkatesan [TB], and further discussed 
by Koblitz, Koblitz and Menezes |T2l §11], it follows that the DLP is random 
self-reducible among curves with the same number of points and comparable 
conductors. 

Second, the problem of constructing isogenies between ordinary elliptic curves 
is the basis of security of some recently proposed cryptographic schemes [SHI HSl 
IHl [321 Hn] • Cryptographic key sizes for these schemes should be chosen based on 
the complexity of the isogeny problem. 

Galbraith, Hess and Smart [12l gave an algorithm, based on pseudorandom 
walks in the isogeny graph, to solve the problem. At each step in the GHS 
algorithm an isogeny of relatively small degree i is computed. The starting 
point of our work is the observation that the cost of computing an isogeny 
depends on £ (see Fig. [3]), and so it makes sense to choose a pseudorandom walk 
which "prefers" to use the fastest possible isogenies. Similar ideas have also 
been used previously by authors: Bisson and Sutherland [5] in their algorithm 
for computing the endomorphism ring of ordinary elliptic curves; Stolbunov |32| 
in a family of cryptographic schemes based on isogenies. 

The main problem is that making the pseudorandom walks "uneven" means 
that the walks are "less random" , and so the number of steps in the algorithm 
to solve the isogeny problem increases. However, this increase in cost is offset by 
the saving in the cost of computing isogenies. We analyse the effect of "uneven" 
partitions and suggest some good choices of parameters for the algorithm. We 
also give experimental results to support our analysis. 

The paper is organised as follows. In Section[2]we introduce a generalisation 
of the isogeny problem called the group action inverse problem (GAIP). We then 
explain why the isogeny problem is the same as GAIP in the case of an ideal 
class group; we call this the C£-GAIP. In Section [3] we re-formulate (a variant 
of) the GHS algorithm as a generic algorithm for solving the GAIP and describe 
how it applies to the C£-GAIP. In Section 2] we provide a theoretical analysis 
of the expected running time of the idealised algorithm. Section [5] discusses 
how the idealised algorithm and the real implementation differ, and gives some 
experimental results. Section [S] then makes some predictions about how the 
algorithm will perform for isogeny computations, and determines the speedup 
of our ideas compared with the algorithm described by Galbraith, Hess and 
Smart. The main consequence of our work is that the isogeny problem can be 
solved in less than one tenth of the time of the GHS algorithm. 

2 Definitions and Notation 

2.1 The Group Action Inverse Problem 

Let G be a finite abelian group, and X a non-empty set. A (left) action of G 
on X is a map 

G X X ^ X 
{g,x) g*x, 
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which satisfies the associativity property (gh) * x — g * {h* x) for all g,h G G, 
X € X, and the property e* x = x for the identity element e € G and all x € X . 
The orbit of a set element x £ X is the subset G*x = {g*x\gGG}. The 
orbits of the elements of X are equivalence classes. The stabilizer of x is the set 
of all elements in G that fix a:: Gx — {g & G \ g * x = x}. 

Problem 2 (Group Action Inverse Problem). Let G be a finite abelian group 
acting on a non-empty set X. Given elements x,y € X, find a group element 
g (z G such that g * x = y. 

When the action of G on X is transitive, that is, X is finite and there is 
only one orbit, then the GAIP has at least one solution. When the action is 
free, i.e. the stabilizer of any set element is trivial, then the GAIP has at most 
one solution. In the case of a free and transitive action, the set X is called a 
principal homogeneous space for the group G, and the GAIP has exactly one 
solution. This last type of GAIP will be considered in the rest of the paper. 

2.2 The Isogeny Problem and the Class Group Action In- 
verse Problem 

Recall from the introduction that Ei and E2 are ordinary elliptic curves over Fg 
with #^i(F,) = #S2(F,), = Endp^(^,) and c{E,) = [Ok : 0,\ for z = 1,2. 
As noted by Galbraith [11] (building on work of Kohel [20]), a natural approach 
to compute an isogeny from E\ to E2 is to first take "vertical" isogenics to 
elliptic curves E\ and E'^ such that Endj^^ (i?,-) = Ok, and the isogeny problem 
is reduced to computing a "horizontal" isogeny from E\ to E'^- Alternatively, if 
0\ and O2 are comparable, but both c(E\) and c(E-2) have a large prime factor, 
one can use horizontal and/or vertical isogenics from E\ to a curve E'^ such that 
Endp (E'-\) — O2 and the problem is again reduced to computing a horizontal 
isogeny. 

So, without loss of generality, we assume for the remainder of the paper that 
Endp (El) = Endp iE2). Define O to be the order Endj (£'1). Write CC{0) 
for the group of invcrtiblc O-ideals modulo principal O-ideals and h{0) for the 
order otCC{0). 

The theory of complex multiplication implies that there are h{0) isomor- 
phism classes of elliptic curves E over Fg with Endj (E) — O and a fixed num- 
ber of points ^E{¥q). There is a (non-canonical) one-to-one-correspondence 
between isomorphism classes of elliptic curves E over F^ with End|T {E) = O 
and ideal classes in CC{0) [31]. There is a (canonical) one-to-one correspon- 
dence between invertible O-ideals I and isogenics , such that if I is an ideal of 
norm £ and E is an elliptic curve corresponding to the ideal a then there is an 
f-isogeny from E to E' where E' corresponds to the ideal a\~^ . Galbraith, Hess 
and Smart jl2) show how, given an elliptic curve E and an ideal b, one can 
efficiently compute an explicit isogeny cj) : E ^ E' corresponding to b via the 
above correspondence. 

Let X be the set of isomorphism classes of elliptic curves over F, with 
End^^{E) = O and a fixed #E{¥q). It follows that CC{0) acts on X and 
so we can define b * i? to be the isomorphism class of the image curve for the 
isogeny corresponding to b. The horizontal isogeny problem is a special case of 
the GAIP, which we call the class group action inverse problem (C£-GAIP). 
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Problem 3 (Class Group Action Inverse Problem). Let Ei/¥q and E2/Vq 
be ordinary elliptic curves satisfying :^Ei{¥q) = ^E2{¥q) and Endj — 
Endp (£'2) = O. Find the ideal class [b] e CC{0) such that the curves b * Ei 
and E2 are isomorphic. 

Hence, for the rest of the paper we study the GAIP, keeping in mind this 
specific application. 

Let H = {li, . . . ,lr} be a set of distinct prime ideals. We define the ideal 
class graph to be the graph with vertex set C£{0) and, for each I e i/, an edge 
(a, for all a G CL(0). Similarly, we define the isogeny graph to have vertex 
set being isomorphism classes of elliptic curves with endomorphism ring O and 
an edge between two isomorphism classes if there is an isogeny between them 
corresponding to an ideal I G iJ. 

2.3 Other Notation 

R 

By a we denote the assignment of value & to a variable a. By a i — G we 
mean that a is sampled from the uniform distribution on the set of elements 
of G. We write #5 for the number of elements in S. By log(n) we denote the 
binary logarithm of n. All equalities of the form f{x) — 0{g{x)) are one-way 
equalities that should be read as "/(x) is 0{g{x))''\ 

3 Algorithm for Solving the GAIP and the 
CC-GAIP 

3.1 Previous Isogeny Problem Algorithms 

The first algorithm for solving the isogeny problem (equivaently, the C£-GAIP) 
was proposed by Galbraith [TT]. Let Ei and E2 be elliptic curves over Fg with 
End(_Ei) = O (alternatively, let a; an ?; be O-ideal classes). The idea was to 
construct two graphs of elliptic curves (subgraphs of the isogeny graph), one 
rooted at Ei and the other at E2 (equivalently, two subgraphs of the ideal 
class graph rooted at x and y respectively). Edges in the graph correspond to 
small-degree ideals. By the birthday paradox, when the graphs have total size 
approximately ^Ji:h[0) one expects them to have a vertex in common, in which 
case we have a path of isogenies from Ei to E2 ■ Indeed, under the assumption 
that the graphs behave like random subgraphs from the point of view of their 
intersection, it is natural to conjecture that the algorithm halts when the total 
number of vertices visited is, on average, y/Trh{0). Note that this algorithm 
requires an exponential amount of time and memory. 

The second, and previously the best, algorithm was due to Galbraith, Hess 
and Smart [H] (in particular the stage 1 of the algorithm described in that 
paper). The major improvement was to use pseudorandom walks and parallel 
collision search in the isogeny graph, rather than storing entire subgraphs. We 
give a generic description of this method in the next section. The advantage of 
the GHS method is that it only requires a polynomial amount of memory, and 
can be easily parallelised or distributed. 

Although this paper considers the classical computational model, we note 
that a subexponential-time quantum algorithm for the isogeny problem has been 
proposed by Childs, Jao and Soukharev [B]. 
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3.2 Generic Description of the GAIP Solving Algorithm 

Let the GAIP {x,y) be defined for a group G acting on a set X, and let r be 
a positive integer greater or equal than the rank of G. Choose a generating set 
H = {gi, . . . , gr} C G and consider a graph F with vertices the elements of X , 
and edges {z,gi * z), for all 1 < i < r. In the special case G = C£{0), X the 
set of isomorphism classes of elliptic curves with the endomorphism ring O, and 
H = {li, . . . ,lr}, we obtain the isogcny graph defined in Section [521 

To solve the GAIP it suffices to find an (undirected) path in P between x 
and y. A natural way to do this is to use (pseudo)random walks in P, starting 
from X and y. For instance one can use a random function v. X ^ {1, . . . , r} 
and the map 

iP: X ^X 

Z 9v{z) * z- 

The following language will be used throughout the paper: the function v(z) is 
a partitioning function, because it defines a partition P on the set X. By an 
abuse of notation we will call parts in P partitions. Note that we do not require 
all partitions to be of the same size. Partitioning probabilities pi, . . . ,pr are 
defined as 



Pi = Pr 



v{z) = i \ z i — X 



for all 1 < i < r. 



A walk on F is a sequence of nodes computed as 

Zj+i = i:{zj). 

A hop is one edge in the graph (i.e., one step of the walk). The set H is called 
the supporting set for walks on F. The above walk is a generalization of the 
adding walk proposed by Teske for groups [55] . 

One can apply the parallel collision search concept, as proposed by van 
Oorschot and Wiener [37j . To do this, define a subset Xo of distinguished 
elements in X , such that it is easy to verify that z G Xu. Pseudorandom walks 
in F are formed by taking a random initial verte^Hj moving along edges with 
a certain probability, and halting when the current vertex is a distinguished 
element. This framework was used by Galbraith, Hess and Smart [T^. Figure [1] 
presents Algorithm A, which is an algorithm to solve the GAIP following this 
approach. 

Algorithm A uses 2t client threads, where t > 1, and one server thread. 
The algorithm takes as input a GAIP instance {xo,xi) and an integer t. The 
server starts t clients, each performing a walk starting from a randomized node 
^o,i * 2:0 for I < i < t. The server starts another t clients, each performing 
a walk starting from a randomized node hij * xi. Each client continues the 
deterministic pseudorandom walk until it hits a distinguished node. Once a 
thread hits a distinguished node z = a * Xs, it puts the triple (z,a, s) on the 
shared queue and terminates. The server stores all received triples in a database 
D and restarts clients from new randomized starting nodes. 

A collision is an event when some node is visited by client threads twice, 
while the preceding nodes visited by the threads are different. Since the walks 



^The GHS algorithm [12j does not specify how to sample random vertices in the isogcny 
graph. We use an algorithm from Stolbunov 32. §6.1], which will be briefly explained at the 
end of Section 13.41 
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Algorithm 1 Server 



Algorithm 2 Client 



Input: {xQ,xi,t) £ X X X X N Input: {z,a,s) e X x G x {0,1} 



1 


for i = 1 to t do 


1 







yit'Q, III ) ^ — X Lt 


2 


while 2 ^ X]j do 


3 


start client(ft.o * ^Oj ^O: 0) 


3 


i -s— w(z) 


4 




4 


z gi * z 


5 


end for 


5 


a a^i 


6 




6 


c c + 1 


7 


while true do 


7 


if c> Cmax then 


8 


fetch (z, a, s) from queue 


8 


(z, a, s) _L 


9 


if {z, b,l — s) e D for some 6 


9 


break loop 




then 


10 


end if 


10 


break loop 


11 


end while 


11 


end if 

DU {iz,a, s)} 


Output: (z,a, s) 


12 






13 


h^G 






14 


start client(/i * Xs,h, s) 






15 


end while 






16 


stop all clients 







Output: a^-2^62s-i 



Figure 1: Algorithm A for solving the GAIP. 

are deterministic, after a collision the two threads follow the same route unless 
they hit a distinguished node. Thus every collision results in two triples of the 
form (z, •, •) being submitted to the server. A collision of walks, one of which 
was started from xq and the other one from xi, is called a good collision. After 
a good colhsion the server detects two triples (z, a, 0) and (z, b, 1). It then halts 
all clients and outputs the solution b^^a. 

Since a walk might loop before it hits a distinguished node, clients use a 
simple loop detection mechanism that checks whether the walk remains shorter 
than a fixed maximum length Cmax- The value Cmax is usually chosen to be a 
function of 9, e.g. Cmax = 30/6', which means that walks 30 times longer than 
expected are abandonecJl- 

Denote by a the number of nodes visited by Algorithm A, counted with repe- 
tition. If nodes were sampled uniformly at random then the expected value E(a) 
would be close to ^/tt^G by a variant of the birthday paradox (see Section |4?T]) . 
The expected total (serial) running time of Algorithm A approximately equals 
the product of E(a) with the average cost of computing * z in line S] of the 
client algorithnll. Our main observation is that the cost of computing 5^ * z is 
not the same for all gi. Hence, one can speed up the algorithm by favoring the 
gi which are faster to compute. 

In the CC-GAIP, the supporting set H is usually chosen to consist of prime 
ideals above the smallest integer primes which split in C In some rare cases it 

^Van Oorschot and Wiener | 37| suggest Cmax = 20/0. Our value is larger in order to 
preserve more non-looped walks. 

^We do not count database access times and expected L9y/n random samplings of a group 
element. 
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may be necessary to add one or more prime ideals of larger norm to ensure that 
H generates CC{0). Ramified primes can also be used, but since their order 
equals two in CC{0) they suffer from the defect mentioned in the next section. 

3.3 A Remark on the GHS Algorithm 

The GHS paper [T2] states that "it is usually enough that H contains about 16 
distinct split primes" , and the partitioning function should "have a distribution 
close to uniform". In other words, it was advised to use about r = 16 parti- 
tions of approximately equal size. We will compare our algorithm against those 
suggested parameters in the remainder of the paper. 

We note a potentially serious problenjf] with the algorithm of Galbraith, Hess 
and Smart T?. On every hop the algorithm chooses a small prime £ and a bit 
h uniformly at random. Typically, i is split and the algorithm chooses one of 
the two ^-isogenous elliptic curves deterministically using the bit b. Hence for 
a fixed every hop where (, is chosen produces an action by, equally likely, the 
ideal [ or (where (£) = Thus, since the ideal class group is abelian, the 

expected power of the ideal [ that has acted on the starting elliptic curve after 
any number of hops equals 0. Such a walk is far from random, as it tends to 
remain "close" to its initial node. Hence, most likely the method of Galbraith, 
Hess and Smart does not perform as well in practice as the heuristic predictions 
stated in [12] . To avoid this problem, our algorithm always acts by the same 
ideal I when the prime I is chosen (i.e., the set H never contains both [ and 
unless [ is ramified). We stress that the speed improvement of our algorithm is 
not due to the correction of the named flaw but because of the use of an uneven 
partitioning. 

3.4 Better Choices for Solving the C£-GAIP 

We now discuss the main idea of the paper, which is to make the pseudorandom 
walks faster by using smaller degree prime ideals more often than larger degree 
ones. 

Recall that a denotes the number of nodes visited by Algorithm counted 
with repetition, and that E(a) is close to y^Tm, where n ~ H^G. Therefore it is 
more convenient to consider the variable 




The value of L is fully determined by the group, the problem instance (xo,a;i), 
the supporting set iJ, the partitioning function v{), the subset Xd of distin- 
guished nodes, the loop detection value Cmax and the random choices made by 
the algorithm. We define E(L | r,p, to, 6*, Cmax ) to be the expected value of L, 
taken over random choices of all the above parameters, conditioned on the values 
of the parameters: 

r the number of partitions; 

p — [pi, . . . ,pr) the partitioning probabilities; 

^This remark also applies to the isogeny walk given by Teske 1361 Algorithm 1]. Interest- 
ingly, another isogeny walk is given in Algorithm 3 of the same paper, which is not affected 
by this problem. 
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m — [log(rt)] the ceiling function of the binary logarithm of #G; 
6 the probability of distinguished nodes; 
Cmax the loop detection value. 

To shorten the notation we will write E(L) instead of E( L | r,p, ni, 6, Cmax )• 

The average running time of a step in the algorithm (equivalently, hop) is 
pt = '^l^iPiti, where i is a column vector of timings of actions by the r chosen 
primes (see Fig. [3] for such timings). Hence, the expected serial running time of 
Algorithm A is approximately 

E(L) V^pt. (1) 

Ideally, the number of partitions r and the probability distribution p should 
be chosen by solving the optimization problem: given n, 6, t, choose r and p to 
minimise the expected running time E(L) ^/npt. We do not claim in this paper 
a complete solution to this optimisation problem. But we do discuss how E(L) 
depends on r and p, and we suggest some choices for these parameters. 

For simplicity, and because they seem to give good results in practice, we 
restrict our attention to vectors p= (pi, . . . ,pr) such that the probabilities are 
in geometric progression pi^i/pi = w for 1 < i < r. For example, taking r — A 
and w — 1/2 means probabilities {pi, ^pi, jPi, |pi) which add up to 1 (and so 
Pi = 8/15 w 0.53). In our practical analysis we restrict to 3 < r < 16 and 
p is the geometric progression of ratio w G {1,3/4,1/2,1/3,1/4}. This choice 
is probably not the best solution to the optimization problem, but it seems to 
work well in practice. 

To implement the starting randomization of the walks we use a method 
proposed by Stolbunov [32, §6.1]. We briefly describe the method. Since the 
class group structure computation is much faster [2, than Algorithm A, one 
first computes the class group structure. For an imaginary quadratic order O of 
discriminant A, the class group CC{0) is generated (assuming GRH) by the set 
C of prime ideals of split norms less than or equal to ^max = ci log^|A|, for an 
effectively computable constant ci [Ul Corollary 6.2]. Note that the set C used 
for the random sampling can be larger than the supporting set H. Knowing the 
class group generators and their orders, one obtains a random group element in 
a smooth form by raising generators to random exponents, each chosen between 
zero and the corresponding order. To shorten the representation one reduces it 
modulo the lattice of relations among the elements of C. Indeed, it is possible 
to write any element of CC{0) as an 0(log| A|)-tcrm product of elements in C. 
Jao, Miller and Venkatesan have shown (assuming GRH) that the ideal class 
graph {C£{0), C) is an expander graph [T71 Theorem 1.5]. Since the diameter of 
an expander graph is less than or equal to 2 \og{h) / log(l + c) for the expansion 
coefficient c and the number of vertices h [IZ, Theorem 9.9], the diameter of the 
ideal class graph {CC{0),C) is 0(log(/i)), where h w |A|i/2. 

4 Theoretical Analysis of the Algorithm 

4.1 Previous Results 

A tremendous amount of research on the running time analysis of the Pollard 
rho algorithm has been carried out by various authors. We give a brief overview 
of some of the results relevant to our work. 
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First we consider random mappings on a set X of n elements. Rapoport [^Sl 
§11] and Harris [Tl] §3] obtained an approximation for the expected value of the 
number p of distinct elements in a random walk on X: 



E(.,.^/f. 



For a more precise statement see Knuth [151 Exercise 3.1.12]. These results were 
subsequently used to approximate the expected length of the rho-shaped walk 
in the Pollard's algorithm |23) . 

Van Oorschot and Wiener [371 §4.1] proposed a parallel version of the Pol- 
lard's rho algorithm. When more than one walk is run in parallel, several colli- 
sions can occur, and only some of them may be useful (we call these collisions 
good). Let p be the probability that a random collision is good. They obtained 
the following approximation for the expected value of the number A of distinct 
visited nodes, when the number of collisions is small: 



The iteration function proposed by Pollard [M] for the DLP involved three 
partitions of approximately equal size: two corresponding to multiplication and 
one to squaring hops. Teske proposed a different type of iteration function which 
she called an adding walk [35 L Adding walks allowed more partitions, but it was 
still preferable to have equally-sized partitions because the costs of iterations 
were approximately equal. Brent and Pollard [S] and Blackburn and Murphy [3] 
provided a heuristic argument where they assumed that the restrictions of the 
iterating function to r equally-sized partitions were random mappings: 



More recently. Bailey et al. [U Appendix B] employed an uneven partitioning 
with probabilities Pi, I < i < r, for the Pollard rho method. Again under the 
assumption about the randomness of the restrictions of the iterating function, 
they provided the following heuristic result: 



which agrees with Q when all pi are equal. Combining equations (0) and (H]), 
since the probability that a collision is good is p = 1/2, would lead to a con- 
jectured expected value of a of y/nn/{l — J2l=iPi)- Theorem [T] proves this 
result. 

4.2 Issues Caused by Uneven Partitioning 

When some partitions are used more often than others, walks become less likely 
to collide. Indeed, a collision involves two edges coming from two different 
partitions into the same node. Since every node has exactly one outgoing edge, 
uneven partitioning implies uneven distribution of edges among their types, and 




(2) 




(3) 




(4) 
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hence it becomes less likely to pick two edges of different types. This aspect is 
studied in the theoretical analysis below. 

Another issue caused by uneven partitioning is that walks lose their mix- 
ing property, namely they behave less like random mappings than with even 
partitioning. This aspect is not accounted by our theoretical model, but it is 
discussed in Section [5. II 

4.3 Theoretical Model of the Algorithm 

We now define an algorithm A-^ that closely resembles A. The only differences 
between A-jr and A arc that the walk is implemented using random permutations, 
and that there is no loop detection (to simplify the proof in the next section 
we assume that walks never loop before they hit a distinguished node). Walks 
for At^ are defined as follows. Let hi, . . . , hr be random permutations on X 
such that hi{z) ^ z and h.i{z) ^ hj{z) for all z G X and i ^ j- Walks are now 
defined using the map 



Algorithm At, is obtained from A by replacing line 0] of the client Algorithm [2] 
with z -i— hi{z) and deleting lines ITHTUl Because of the nature of the walks. 
Algorithm At^ does not solve the GAIP. 

4.4 Running Time of the Theoretical Model 

We now state the expected running time of Algorithm Att- This is essentially 
the same result as given in Appendix B of Bailey et al. fT], although their work 
is for the Pollard rho discrete logarithm problem, whereas we are considering a 
slightly different situation. We also give a Heuristic [1] for the standard deviation 
of the running time. 

Theorem 1. Let n he the cardinality of the set X , 9 the probability of a node 
being distinguished andpi, . . . , pr the probabilities of choosing among r random 
permutations on X . Then the number a of nodes visited, with repetition, before 
Algorithm A-n terminates, has the following expected value: 



where d is the expected in- degree of a visited node excluding the edge used to 
arrive at this nodaj; 



Proof. We sketch an outline of the proof and refer to Stolbunov [3T] for the 
details. The proof uses the approach of Blackburn and Murphy '4'. The main 
task is to determine the expected number of elements sampled before the first 

^The term in-degree refers to a graph with the set of vertices X and the edges {z, 1/1^(2:)). 
For a visited vertex, the number of used incoming edges equals zero if it is a randomized 
starting vertex, or one otherwise. 



X ^ X 
z 1-^ /Jt,(2)(^)- 




r 




(5) 



1=1 
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good collision. It is then standard that 1/9 further steps are required to detect 
a collision. Note that two collisions are expected in total. 

Let A C X denote the set of elements already visited at some stage during 
the execution of Algorithm A-^ ■ For each element z S A (except for the starting 
point) let zo G A be the previous element in the walk, and suppose zq lies in 
partition so that z = hi{zo). Let j G {1, . . . , f }\{j}. There is an incoming edge 
to z corresponding to partition j if and only if h~^{z) lies in partition j. Under 
the assumption that the partitions are random, this occurs with probability 
Pj. Hence, the expected number of edges into z coming from partition j is 
Pj. Now, since all the permutations are random and independent, the expected 
number of incoming edges to z is the sum of the expectations for each individual 
permutation: 

r 

Now, summing over all possible choices for i (given that each arises with prob- 
ability Pi) gives 

r r r 

i—l .7 — 1 l<ij'<r i—1 

This is the expected number of external incoming hops, for a random non- 
initial element of A. Since the proportion of initial elements equals 0, hence 
equation ([5]). 

The expected number of elements sampled to get a collision is \J'!^nj (2d) by 
the same arguments as used by Brent-Pollard and Blackburn-Murphy. However, 
a collision is only a good collision with probability 1/2 so, using the logic behind 
equation one gets the formula y/nn/d. □ □ 

Note that the value d in Theorem [T] can easily be computed for small r and 
known pi. When all pi ~ 1/r and 9 tends to zero, then d tends to 



Hence, Theorem [T] agrees with previous results on the Pollard rho algorithm 
when using r partitions all of the same size, cf. 

Heuristic 1. Let a-^, n, 9 and d be as in Theorem]^ Then the variance of the 
random variable a-^ approximates as: 

, . (4-7r)n 4-261 1 
Var(«.)«^-^-f^ + -^-. (6) 

We provide a brief argument for Heuristic[T]below and refer to Stolbunov [31j 
for the details. 

The total number of visited nodes is the sum of the number of unique 
visited nodes A^r and the number (5^^ of nodes visited twice or more. Hence 

Var(a7r) = Var(A^) + Var(5^) + 2 Cov(A„, 5^), 



11 



w — 1 



w = 1/2 



w = 1/4 



r 


d 


E(L,) 


Stdcv 


d 


E(L,) 


Stdcv 


d 




Stdcv 


3 


0.6667 


2.1708 


1.1347 


0.5714 


2.3447 


1.2256 


0.3810 


2.8717 


1.5011 


4 


0.7500 


2.0467 


1.0698 


0.6222 


2.2470 


1.1746 


0.3953 


2.8191 


1.4736 


5 


0.8000 


1.9817 


1.0359 


0.6452 


2.2067 


1.1535 


0.3988 


2.8066 


1.4671 


6 


0.8333 


1.9416 


1.0149 


0.6561 


2.1882 


1.1438 


0.3997 


2.8035 


1.4655 


10 


0.9000 


1.8683 


0.9766 


0.6660 


2.1719 


1.1353 


0.4000 


2.8025 


1.4649 


16 


0.9375 


1.8306 


0.9569 


0.6667 


2.1708 


1.1347 


0.4000 


2.8025 


1.4649 



Table 1: The values d, T^{Lt^) and Stdev(L7r), when r partitions are used and 
partitioning probabilities decrease with ratio w. n = 2*° and 9 = 2^"^^ . 

where the summands correspond to the ones in ^ . The probability distribution 
of A,r can be approximated by the (continuous) Rayleigh distribution (33, with 
the following probability density function and variance: 

xd _x£d /^ . (4 - 7r)n 

/a, a; « — e 4„ , Var « ^ — 
In d 

When it comes to the duplicate visited nodes, chasing the good-collision dis- 
tinguished node can be described as a sequence of Bernoulli trials with success 
probability 0/2, because only half of the collisions are good. The number of 
trials needed to get one success conforms to the geometric distribution 
§6.1.2]. Hence the probability mass function and the variance of Stt are 

f&Ax) ^{1- , Var((5^) = — 

The covariance of and is computed using the formula (see [21]) 
Cov(A,, ,5,) = E(A,5,) - E(A,) E((5,). 

4.5 Running Time Calculations 

Let the partitioning probabilities pi , . . . , be chosen from a geometric pro- 
gression with common ratio w (cf. Section 13.41) . Table [T] lists the values d, the 
expected values and the standard deviations of L^r for n = 2*° and 9 — rT^I^ . 
Mantissas are rounded to four decimal digits. 

The values of d in the first column of Table[T]agree with (r — l)/r as expected. 
Note also that the values of E(Lt^~) in the first column converge to the expected 
asymptotic value of ^ sa 1.7724. The values in the w = 1/4 column do not 
change significantly when r is large; this is because the higher primes are used 
with such extremely low probability that they have no effect on the algorithm. 
The values in Table [1] will be used later to give an estimate of the running time 
of our improved variant of the algorithm. 

5 Comparing Theory and Practice 

There are many reasons why we do not expect the practical Algorithm A to 
behave as well as the theoretical Algorithm At^- The aim of this section is to 
briefly mention one of these issues, and to develop a plausible set of heuristics 
for the running time of Algorithm A. 
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5.1 Mixing of Adding Walks 



As is standard, the theoretical analysis assumes truly random walks. However, 
we are using adding walks in a group, and such walks are not close to uniformly 
distributed if they are short. The mixing time is a measure of how long a walk 
runs before its values start to appear uniformly distributed. It is beyond the 
scope of this paper to analyse such issues in detail. We mention that Dai and 
Hildebrand 9 have studied the mixing time of adding walks. They show that 
adding walks on r partitions need a slack of 0(71*^^/'^'"^^-'''+'^) hops before they 
converge to the uniform distribution. 

However, it is worth noting that Algorithm A does not necessarily need walks 
to be uniformly distributed after a certain number of hops. Instead it needs 
walks to collide. Just because walks have not yet reached uniform sampling 
does not prevent collisions from occurring. 

5.2 Experiments 

To get a better idea of how the algorithm works in practice, we have performed 
a suite of experiments. We report one of them in this paper and refer to Stol- 
bunov [3T] for more details. 

Our numerical experiments are for X — G (i.e., G acting on itself) being an 
abstract group of the form Z„j © • • • © Z„^ , where n^+i | and > 2 for all i. 
The integer s is the rank of G. The supporting set is randomly chosen, though 
it is checked that it generates the group. 

For calculations we use a Linux cluster of 32 quad-core Intel X5550 processors 
clocked at 2.67 GHz. The code is written in C++. We use a single-threaded 
implementation of Algorithm A, such that one thread alternates between xq- 
and a:i-walks. The same experiment is run on all CPU cores in parallel but with 
different random generator seeds. 

Group elements are represented by arrays of 64-bit integers. We make use of 
a hash function : G — )■ {0, 1}'^^ implemented using the 64 to 32 bit hash func- 
tion of Wang [33. The partitioning function v{z) is computed by reducing H{z) 
modulo a sufficiently large integer whose residues can be partitioned with the 
correct proportions. Wang's hash function uses bit shifts, negations, additions 
and XOR operations. This helps to make sure that v{z) and v{ip{z)) look like 
independent random variables, which is important because correlations between 
the functions V'(^) ^^^d v{z) can result in undesirable loops in the walk. 

Let 6 be the desired distinguished point probability. We declare an element 
z to be distinguished iff H{z) = mod [1/6*] , where [•] is the rounding to the 
nearest integer. Although Algorithm A has polynomial memory requirements, 
we find it practical to use an 0{n}^^) amount of storag^, namely to choose 

9 — n^i . 

®Let us justify the suitability of this choice by an example. Suppose one tries to solve a 
C£-GAIP over a 244- bit field, a problem size proposed for isogeny- based cryptosystems I32| . 
Since the group size (i.e., class number) n 2^-^^, the database of distinguished nodes should 
store L9y/n nodes, which is less than 2^^ on average. Since the class number is approximately 
122 bits long, one entry of the database (binary tree) of distinguished nodes would occupy 
48 bytes, of which 16 bytes are used by a hashed j'-invariant, 16 bytes by a compressed class 
group element and 16 bytes by two pointers. The whole database would occupy not more 
than 384 gigabytes of disk space, which we find to be quite moderate. 
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This is compatible with the work of Schulte-Geers [5S]. The database of distin- 
guished nodes is implemented as a binary tree. 

For the starting randomization of walks we use the 64-bit Mersenne twister 
pseudorandom generator [5T]. A pseudorandom element gr £ G acts on the 
initial node to create the starting point of the new walk. 



5.3 Choosing the Number of Experiments 

Let k be the number of experiments and L/t the average value of L over k ex- 
periments. According to the central limit theorem [251 §7.2.1], the probability 
distribution of the random variable Lk approaches the normal distribution with 
the mean E(I/) and the variance Yai{L)/k as k approaches infinity. For the nor- 
mal distribution, over 99.7 % of the values lie within three standard deviations 
away from the mean. Thus, assuming k is big enough, we have that 



Pr 



^/k - ' ' - ^ ^ 



> 0.997. 



When measuring E(i), we use two levels of accuracy: the result lies within 
±0.1 % of the true value for the experiments satisfying log(n) < 44, and within 
±0.5 % of the true value otherwise. Thus we can use the inequalities 

3Stdev(i)y /3Stdev(L) 



to find the sufficient number of experiments for the two accuracy levels. For a 
preliminary estimation of the number of experiments we use the formulae for 
E(L) and Stdcv(L) obtained in Section |4^ This gives us the values 

fci = 2459137, fca = 98368 , 

computed as maximums over all possible parameters in Experiment [TJ 

Our experiments have shown that, in most cases, both the sample mean and 
the sample standard deviation differ from the results of Theorem [T] by approxi- 
mately the same factor, which cancels out in ([7]). This means that the obtained 
numbers fci and k2 fit for the probability distributions under observation. 



5.4 Experimental Measurement of L 

In this section we measure E(L) by means of experimentation and assemble 
results in a table so that they can be used for arbitrary GAIP instances in the 
future. 

Experiment 1 (Measuring L in Arbitrary Groups). For each of the valued 
[log(n)] g {28, 32, 36,..., 56}, r e {3, 4,..., 16} and w € {1, 3/4, 1/2, 1/3, 
1/4} conduct a set of fci (fc2 for n > 2'*^) experiments. In each experiment 
choose a randonjl group G and a random subset of r elements that generates G. 
Use 9 = n^^/* and the partitioning probabilities decreasing with ratio w. 



^We use n > 2^^^ because otherwise L is highly affected by looped walks: every loop 
increases the number of visited nodes by 30n^/*. 

*For each m £ {28, 32, 36, . . . , 56} we sample uniformly from the set of isomorphism classes 
of abelian groups of order n and rank at most r, where 2"*"^ + 1 < < 2™. 



14 



riog(n)] 



w 


T 


28 


32 


36 


40 


44 


48 


52 


56 




3 


2.8547 


2.9982 


3.1380 


3.2735 


3.4079 


3.5355 


3.6681 


3.7812 




4 


2.2923 


2.3101 


2.3247 


2.3371 


2.3484 


2.3518 


2.3661 


2.3661 




5 


2.1039 


2.0975 


2.0968 


2.0984 


2.0978 


2.1007 


2.1009 


2.1004 


1 


6 


2.0178 


2.0099 


2.0052 


2.0032 


2.0026 


2.0038 


2.0022 


2.0023 




10 


1.9021 


1.8932 


1.8862 


1.8849 


1.8831 


1.8816 


1.8769 


1.8879 




16 


1.8575 


1.8455 


1.8407 


1.8384 


1.8361 


1.8302 


1.8369 


1.8357 




3 


3.1089 


3.2761 


3.4406 


3.5985 


3.7500 


3.9086 


4.0331 


4.1785 




4 


2.6071 


2.6436 


2.6723 


2.6938 


2.7101 


2.7307 


2.7315 


2.7406 


1 


5 


2.4586 


2.4665 


2.4723 


2.4782 


2.4802 


2.4875 


2.4821 


2.4776 


2 


6 


2.4000 


2.4022 


2.4063 


2.4068 


2.4086 


2.4079 


2.4069 


2.4128 




10 


2.3529 


2.3536 


2.3527 


2.3553 


2.3563 


2.3486 


2.3533 


2.3557 




16 


2.3516 


2.3523 


2.3519 


2.3519 


2.3536 


2.3524 


2.3465 


2.3576 




3 


3.8596 


4.1194 


4.3652 


4.5978 


4.8213 


5.0395 


5.2484 


5.4338 




4 


3.5425 


3.6694 


3.7582 


3.8280 


3.8771 


3.9015 


3.9372 


3.9517 


1 


5 


3.4753 


3.5732 


3.6423 


3.6830 


3.7103 


3.7322 


3.7295 


3.7407 


4 


6 


3.4608 


3.5566 


3.6145 


3.6526 


3.6743 


3.6985 


3.6845 


3.6845 




10 


3.4578 


3.5486 


3.6064 


3.6454 


3.6658 


3.6672 


3.6853 


3.6833 




16 


3.4607 


3.5498 


3.6070 


3.6427 


3.6639 


3.6747 


3.6808 


3.6880 



Table 2: Expected values of L obtained experimentally for certain choices of r 
and w. 

A subset of results is listed in Table [2j where mantissas are rounded to four 
decimal digits. Full data for 3 < r < 16 and w € {1,3/4,1/2,1/3,1/4} are 
available in |31j . The entire experiment took 51 days of parallel processing on 
128 cores. 

When w = 1 and r = 16 one sees good agreement between Table [5] and 
Table [U which suggests that our implementation is working well. In other cases 
we see that L is significantly larger than L^, which shows that the theoretical 
analysis is over-optimistic about the behaviour of these pseudorandom walks. 
The results also confirm that r = 3 is not a good choice in practice. 

Figure [2] graphs some values of the practice-to-theory ratio 

_ E(L) 

Round dots depict our experimental results, and lines are their approximating 
functions (solid lines are w = 1, short-dashed lines are w = 1/2 and long-dashed 
lines are w — 1/4). For a fixed w, values of a for 5 < r < 16 lie between r — h 
and r = 16. One can observe an increased roughness of experimental results 
for n > 2^"^ due to the increased confidence interval. The graphs suggest that, 
for r > 3, the difference between E(i) and E(L^) is fairly stable as n grows. 
Hence, when r > 3 we feel confident extrapolating actual values for E(L) from 
our formulae for E(L7r) and the experimentally determined correction factors a. 

Remark 1. Recently Montenegro proposed a heuristic for estimating the num- 
ber of hops in birthday attacks |22J. His idea is to estimate the probability 
of short cycles, i.e. if two walks (with independent partitioning functions) are 
started from the same position, then what is the probability that they intersect 
soon? The lower this probability is, the sooner the algorithm will terminate. 
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1.4 



1.3 



1.2 




r = 4, w = 1/4 

.r = 5, w = 1/4 
r = W,w = 1/4 

■r = 4, w = 1/2 



■ r = 5, w = 1 
r r = 16, w = I 



230 2''0 2^" 2^° 2™ 2*° 

Figure 2: Values of cr = E(_L)/ E(L7r) obtained experimentally and their approx- 
imations extended to n = 2^*^. 



Applied to adding walks in an abelian group, this means that if two walks in- 
clude short subsequences of edges which are equivalent up to the order of edges, 
these subsequences do not change the relative position of these walks. Although 
Montenegro only gives examples for Pollard's and Teske's walks, his heuristic 
also applies to walks with uneven partitioning. The probability Pi that two 
independent walks started from xq ~ yo have a collision after one hop equals 



Pi = Pr [xi = yi] 



If we only consider collisions after one hop, then Montenegro's heuristic gives 
an approximation similar to what we obtained in Theorem [TJ 



E(A) - 

V 1 - -Pi 

The probability P2 that a collision occurs on the second hop is 
P2 = Pr [{xi ^ yi) A {X2 = ys)] = (1 - Pi)PI 
and Montenegro's heuristic gives 



E(A) 



1 - (Pi + P2 



I -Pi 



Pi 



(8) 



The calculation can be continued to more hops, but since probabilities of col- 
lisions become much smaller than P2, this will result in very small numerical 
changes. 
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We have calculated the expected values of L using ([5]) and found that for 
r > 6 the heuristic agrees pretty well with our practical results, giving only up 
to 3.4 % error for u; = 1/2 and up to 5.6 % error for w = 1/4. 

6 The Algorithm in Practice 

We now discuss how the isogeny algorithm performs in practice. We focus on the 
case of ideal class groups of maximal orders in CM fields coming from End(i?) 
where i? is a randomly chosen elliptic curve over Fp and p is a randomly chosen 
160-bit prime. We also speculate on how the algorithm will perform for larger 
fields at the end of this section. 

We have already obtained a good theoretical and experimental understand- 
ing of the algorithm for the group action problem. It is necessary now to include 
the cost of computing isogenies. The next section gives some estimates for the 
running time of computing isogenies of prime degree. 

6.1 Cost of Computing Isogenies 

Consider the cost of computing the action by a prime ideal in the isogeny graph. 
One has an elliptic curve and an ideal of norm One must factor the modular 
polynomial to determine the possible j-invariants of £-isogenous curves, one 
must perform Elkies' algorithm to determine the kernel polynomials for these 
isogenies, and then one must use the technique from |12j to determine which is 
the correct kernel and hence which is the correct isogenjl^. It is not necessary 
to apply Vein's formulae at this stage. We assume the modular polynomials 
have been precomputed and reduced to the finite field F^. Since the modular 
polynomial has 0{£^) coefficients one performs 0{£'^) field operations to evaluate 
the modular polynomial at the target j-invariant. An expected 0{i log{i) log{q)) 
field operations are performed to find the roots of the polynomial, employing 
fast polynomial arithmetic. Finally, 0{f') field operations are used by Elkies' 
algorithm. Hence one expects the time of one £-hop to grow like 

0(^2 + £log(£)log(g)) (9) 

field operations. 

We computed average timings using the ClassEU package by Stolbunov [50] . 
The package implements the ideal class group action on sets of ordinary el- 
liptic curves. The experiment was run on Intel X5550 processors clocked at 
2.67 GHz, the code executed at approximately 6799 millions instructions per 
second (MIPS). The data was gathered by repeatedly (20000 times) generat- 
ing a random 160-bit prime p and a random ordinary elliptic curve over Fp 
with a fundamental Frobenius discriminant. The time spent on one action by 
a prime ideal, for prime ideals of all split norms less than or equal to 137, was 
recorded. To increase the accuracy, we performed more hops for smaller primes. 
Results are given in Fig. [31 We can observe bumps when (. moves over degrees 

^If two or more consecutive hops are made by the same split isogeny degree I, and there are 
no vertical ^-isogenies, then it is sufficient to choose the correct isogeny only at the first hop. 
On each subsequent hop one simply checks that the j'-invariant does not match the previous 
one. This provides extra saving, especially when the partitioning is uneven. This extra saving 
is not accounted in Table |3] 
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Time s 




Timo s 


3 


0.002870 


61 


0.168179 


5 


0.004799 


67 


0.225253 


7 


0.006898 


71 


0.225503 


11 


0.012113 


73 


0.249365 


13 


0.015261 


79 


0.270537 


17 


0.022376 


83 


0.284242 


19 


0.026499 


89 


0.305786 


23 


0.036209 


97 


0.341988 


29 


0.052346 


101 


0.353268 


31 


0.058230 


103 


0.362195 


37 


0.084434 


107 


0.375111 


41 


0.092049 


109 


0.384550 


43 


0.106742 


113 


0.403007 


47 


0.116152 


127 


0.467993 


53 


0.143732 


131 


0.579427 


59 


0.150925 


137 


0.624039 



Figure 3: Average running time of one 
of norm i) for elliptic curves over 160-bi 
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of two which is typical for the polynomial multiplication by number-theoretic 
transform. 

6.2 Ideal Class Groups 

In Experiment [T] we used the uniform distribution of finite abelian groups. How- 
ever, the structure of ideal class groups is not that random; the following ob- 
servations are known as Cohen-Lenstra heuristics [7] : the odd part of the class 
group of an imaginary quadratic field is quite rarely non-cyclic; if p is a small 
odd prime, the proportion of imaginary quadratic fields whose class number is 
divisible by p is close to 1/p + 1/p^- The distribution of group structures in 
the isogeny problem is further affected by the fact that the imaginary quadratic 
orders are chosen as endomorphism rings of random elliptic curves. Neverthe- 
less, our experiments show that the difference between values E(L) for random 
isogeny problem instance^ and for random GAIP instances lies within the 
margin of error 0.2 %. The same holds for the standard deviation of L. 

Due to the numerical results of Jacobson, Ramachandran and Williams [TS] 
we know that the average maximum norm of the prime ideals required to gen- 
erate the class group of Q('\/A) for —10^^ < A < approximately equals 
0.60191 ln|A|, and the number of prime ideals required to generate these class 
groups averages at approximately 3.3136. We assume that these results apply 
to our problem size as well. Hence for a random ideal class group of a 162-bit 
discriminant, it is very likely that a generating set of four prime ideals with the 
maximum norm 67 can be found. This observation is used in the next section 
where we model the choice of primes. 

We make an assumption that walks with a supporting set that consists of 
ideals of small prime norm behave similar to walks when the supporting set 
consists of random group elements. 

^"^Parameters: [log(p)] = 90, 4 < r < 16; w, 8, Cmax and ki are as in Experiment [T] 
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r\w 1 3/4 1/2 1/3 1/4 



4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 



8708 

6455 

5514 

5068 

4891 

4930 

5549 

6391 

7409 

8485 

9519 

10636 

12200 



6940 
4495 
3396 
2827 
2530 
2415 
2548 
2723 
2915 
3095 
3255 
3396 
3541 



5429 
2758 
1755 
1334 
1154 
1093 
1110 
1132 
1157 
1180 
1205 
1225 
1242 



4727 

1925 

1130 

904 

847 

842 

858 

874 

891 

906 

923 

937 

949 



4690 

1652 

988 

858 

848 

856 

870 

885 

903 

919 

932 

944 

955 



Table 3: Expected serial time (years) needed to solve a random C£-GAIP over 
a 160-bit field. 

6.3 Predicted Results 

In this section we estimate the time needed for solving a random instance of the 
isogeny problem over a 160-bit finite field using various numbers of partitions r 
and partitioning probabilities p. The expected serial running time is computed 
using equation ([1]), which can be written as 



The values E(L7r) are computed using Theorem [T] and approximations for a 
are based on our experimental data (partially displayed on Fig. [5]). We take 
n — 2^^ . What remains is to compute the average running time pt of one hop. 

For the isogeny problem, the supporting set H should be chosen to consist 
of prime ideals above the smallest integer primes which split in O. If necessary, 
one or more prime ideals of larger norm are included in H to ensure that H 
generates CC{0). To compute the average product pt for given r and w, we 
enumerate all subsets H of r primes larger or equal to 3 with the r — 4 smallest 
primes in H being less than or equal tq^^l prime2r_7, and the largest prime in 
H lying between 67 and max(67, primcj^+j^). For every set H, a timing vector t 
is constructed using the data on Fig. [3] Hence we compute the average pt over 



In Table [3] we give estimated times for solving a random instance of the 
isogeny problem over a 160-bit finite field (equivalently, the C£-GAIP problem 
in C£{0) where O = End(£') for an elliptic curve over a 160-bit finite field). 
The time is provided in years of serial execution on one Intel X5550 2.67 GHz 
CPU core. On a cluster with hundreds of thousands of cores the problem can 
be solved in a matter of hours. 

We see from Table [3] that the best combination r — 9 and w = 1/3 is 
approximately 14 times faster than 16 equally-sized partitions (both timings 
are in bold). In fact all values within 7 < r < IQ, w E {1/3, 1/4} provide good 
speeds. 

Because approximately half of primes are split. 



a E(_L^) y/npt. 



all H. 
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For the rest of the section we briefly consider the question of how much faster 
our algorithm is than the GHS algorithm as g — ^ cx). Both algorithms require 
0{y/n) bit operations, but it is not immediately clear that the ratio of running 
times is bounded as g — ^ oo. Let us compare r — 16, w = 1 with r = 9, w = 1/3. 
First we make a simplifying assumption: for any problem instance, a supporting 
set H consisting of the r — 1 smallest split primes and one prime close to ln(g), 
generates the class group. Using the prime number theorem we approximate 
primes in H hy £i ^ 2iln(2i), for 1 < i < r—1. We also approximate £r ~ ln(g). 
Since £i < log(g) for sufficiently large q, the complexity 1^ of one ^-hop is 
0{ihi[i)ln{q)) field operations, which we further approximate by ci\n{q) for 
some constant c. The improvement ratio (i.e., speedup) is 

(E(L)pi)|j^.i6 ^ 1.836 ^E,=i2*ln(2z)ln(g) + ^ln2(g) 



mpt%^^j^^^ 3.023 a||i^8^^(i)-i2,i,(2,)i,(,) + _^in2(,) 

44.046 + ^ ln(q) 9841 

w 0.607 ^ — ^ 0.607 w 373 as q cx). 

3.682 + 9^ ln((7) 16 

Hence the improvement ratio slowly grows with q and stabilizes at few hundreds 
for a very large q (at ln(q) > 2^^ in the example above). Sure, problems of that 
size are not feasible, and 9 primes are probably not sufficient to generate a class 
group that big. The growth of the improvement ratio is hard to predict, but we 
see no reasons for it to overcome 0(1) as q — ^ oo. 



7 Conclusion 

In this paper we have improved the GHS algorithm for constructing isogenics 
between ordinary elliptic curves. Our improvement is by an 0(1) factor, which 
was estimated to be approximately 14 for random 160-bit elliptic curves with 
comparable conductors. This is a significant acceleration. Nevertheless, the 
asymptotic complexity of the Fg-isogeny problem for curves with comparable 
conductors is 0((7^/''+°(^^ log^(g) log(log(g))) field operations, as before. 
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